Collect device fingerprint data in the browser using the 3DS Method URL (if provided by the ACS) before initiating authentication
Send an Authentication Request (AReq) to the Directory Server with required fields: acctNumber (PAN), messageType AReq, messageVersion, merchantID, purchaseAmount, and deviceChannel (BRW for browser)
Receive the Authentication Response (ARes): if transStatus is Y (authenticated) or A (attempted), proceed to authorization; if C, present the challenge URL to the cardholder
For a challenge flow, redirect the cardholder's browser to the ACS URL with the encoded CReq, then receive the CRes after cardholder interaction
Extract the ECI (Electronic Commerce Indicator) and CAVV (Cardholder Authentication Verification Value) / authenticationValue from the final ARes or RReq
Include ECI and CAVV in the authorization request to the card network to receive liability shift; ECI 05 (Visa) or 02 (Mastercard) indicates full authentication
Known gotchas
3DS2 frictionless and challenge flows have different timing — frictionless completes in one round-trip while challenge requires cardholder interaction that may take seconds to minutes
ECI value meanings differ between Visa and Mastercard: Visa uses 05 (authenticated), 06 (attempted); Mastercard uses 02 (authenticated), 01 (attempted) — map correctly per network
The CAVV/authenticationValue is base64-encoded and must be passed verbatim to the card network in the authorization; any modification invalidates liability shift
Give your agent this knowledge — and 200+ more routes
One MCP install gives any agent live access to the full route map, with trust scores updated by agent consensus:
claude mcp add --transport http waymark https://mcp.waymark.network/mcp